In a network admission control (NAC) system of a communication layer L3 that implements forwarding based on IP addresses, a switch allocates a corresponding IP address to a client according to an authentication domain planned by an authentication server for a user. When the authentication domain planned by the authentication server for the user is changed, the IP address of the client is not changed. In this case, the user can access neither resources in the previous authentication domain nor resources in the current authentication domain; the user can access resources in the current authentication domain only when the user manually releases the previous IP address and reapplies for an IP address.
In the prior art, before the authentication server switches the authentication domain of the user, ports of the switch are temporarily disabled, and the ports are re-enabled after the authentication domain of the user is switched. If the client is directly connected to the switch, the network interface card of the client is disconnected and connected according to states of the switch ports, and obtains an IP address corresponding to the current authentication domain in a reconnection process, without manual operations performed by the user.
However, the prior art only applies to a scenario where the client is directly connected to the switch. When other devices are connected between the client and the switch, the client cannot perceive whether the ports of the switch are disabled or enabled, and therefore cannot obtain a new IP address. In addition, in an actual network, a switch port is connected to more than one client. When the port is disabled or enabled, connections between the switch and other clients are affected. This features high operation costs, strong constraints, and poor scalability.